CVE-2025-29927: Critical Next.js Authorization Bypass Vulnerability

The vulnerability permits attackers to bypass middleware-level authorization mechanisms, granting them unauthorized access to restricted parts of a Next.js application. This could lead to exposure of sensitive data or unintended functionality. An attacker could craft a request containing the x-middleware-subrequest header and send it to a vulnerable Next.js application. By manipulating the header’s value, the attacker could bypass security checks designed to restrict access. For example, they could gain access to admin-only endpoints or restricted user data.

CVE

CVE-2025-29927

Affected Products

Self-hosted Next.js applications using Middleware (next start with output: standalone) This affects you if you rely on Middleware for auth or security checks, which are not then validated later in your application. Next.js <15.2.3 Next.js <14.2.25 Next.js <13.5.9 Next.js <12.3.5

Exploitation

Exploitation in the wild has been confirmed with a publicly available PoC[2], further facilitating unauthorized access and potential misuse of vulnerable systems.

Recommended Actions

1. Upgrading to one of the patched versions (15.2.3, 14.2.25, 13.5.9, 12.3.5) of Next.js provided by the vendor.
2. Prevent external user requests containing the x-middleware-subrequest header to ensure they do not reach your Next.js application.

References

[1] https://nextjs.org/blog/cve-2025-29927
[2] https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware